cisco ddos mitigation service provider solutions...cisco ddos mitigation service provider solutions...
TRANSCRIPT
![Page 1: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/1.jpg)
1© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
CISCO DDoS MITIGATIONSERVICE PROVIDER SOLUTIONSFebruary 15, 2005
![Page 2: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/2.jpg)
222© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Executive Summary
• Detects AND MITIGATES the broadest rangeof distributed denial of service (DDoS) attacks
• With the granularity and accuracy to ENSUREBUSINESS CONTINUITY by forwarding legitimatetransactions
• Delivering the performance and architecturesuitable for the LARGEST ENTERPRISES ANDPROVIDERS
• Addresses DDoS attacks today, and its network-based behavioral anomaly capability will beextended to additional threats
![Page 3: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/3.jpg)
333© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
THE DDoS PROBLEM
![Page 4: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/4.jpg)
444© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Attack Evolution
• Nonessentialprotocols(e.g., ICMP)
• 100s of sources• 10K packets/second
Scal
e of
Atta
cks
Sophistication of Attacks
Two scaling dimensions:• Millions of
packets/second• 100Ks zombies
• Essential protocols• Spoofed• 10K zombies• 100K packets/second• Compound and
morphing
Past Present Emerging
Potentiallyrandom
Targetedeconomic
Publicitydriven
Mainstreamcorporations
High-profiletargets
Niche targets
Stronger and More Widespread
![Page 5: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/5.jpg)
555© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
“Much larger attack network than anything before. Thishorsepower could take down thousands of big sites…atthe same time, and keep them down for quite a while.”
555© 2004 Cisco Systems, Inc. All rights reserved.Presentation_ID
“MyDoom Taste of Viruses to Come, Says Security Analyst,” Reuters,February 3, 2004
![Page 6: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/6.jpg)
666© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Security ChallengesDollar Amount of Loss by Type of Attack (CSI/FBI 2004 Survey)
SabotageSystem Penetration
Web Site DefacementMisuse of Public Web Application
Telecom FraudUnauthorized Access
Laptop TheftFinancial Fraud
Abuse of Wireless NetworkInsider Net Abuse
Theft of Proprietary Info
0
$871,000$901,500$958,100
$2,747,000
$3,997,500$4,278,205
$6,734,500
$7,670,500
$10,159,250
$10,601,055
$11,460,000 $26,064,050
5M 10M 20M 25M 30M
Denial of Service
2004 CSI/FBI Computer Crime and Security SurveySource: Computer Security Institute Total Losses for 2004—$141,496,560
2004: 269 Respondents
Dollar Amount of Loss by Type of Attack (CSI/FBI 2004 Survey)
The Cost of Threats
![Page 7: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/7.jpg)
777© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
“E-biz Sites Hit With Targeted Attacks”
“16% of the attacks against e-commerce sites wereidentified as targeted. Last year, only 4% wereaimed at specific sites.”
• ComputerWorld, September 27, 2004
“Extortion schemes that use attacks like the oneagainst Authorize.Net are becoming more common. . . definitely targeted, ransom-type attacks, andthere's going to be a lot more of them.”
• John Pescatore, Gartner Inc.ComputerWorld, September 27, 2004
![Page 8: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/8.jpg)
888© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
DDoS Is a Business IssueImpacts Revenue and Customer Retention
Not justdowntime:• Lost customers• Damaged
reputations• Contractual
liabilities
Online payment system badly disrupted for three days by maliciousDDoS attack. Worldpay’s rivals attempted to poach online retailcustomers during the attack by offering “emergency services”
![Page 9: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/9.jpg)
999© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
SOLUTION OVERVIEW
![Page 10: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/10.jpg)
101010© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
DDoS ProtectionCisco Service Modules FCS 1QCY05
Attack DETECTIONto support on-demand,shared scrubbingMonitors COPY OF TRAFFIC
Cisco Anomaly Guard Module
Cisco Traffic Anomaly Detector Module
Attack ANALYSIS ANDMITIGATION
Diverts traffic flows for ON-DEMAND SCRUBBING
![Page 11: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/11.jpg)
111111© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Cisco DDoS Product Family
Cisco Guard XT 5650
Cisco Traffic Anomaly Detector XT 5600
DDoS Mitigation Cisco Anomaly Guard Module
DDoS DetectionCisco Traffic Anomaly
Detector Module
Maximum deployment flexibility.Similar functionality and performance.Interoperable for mixed deployments.
![Page 12: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/12.jpg)
121212© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
DDoS ProtectionCisco Service Modules (cont.)
• Guard/Detector MVP-OS Release 4.0• Single-slot modules for Cisco Catalyst® 6500
Switch and 7600 Router• Interfaces via backplane—no external ports• Gigabit performance—future licensed upgrade to
multigigabit supported• Native Cisco IOS® 12.2(18)SXD3• Multiple Guards and Detectors per chassis and
single-destination IP/zone• CLI, Web GUI, and SNMP management
![Page 13: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/13.jpg)
131313© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Integrated Services Benefits
High-Performance
IntelligentNetwork
High-Performance
IntelligentNetwork
DeploymentFlexibility
DeploymentFlexibility
Lower Cost ofOperations
Lower Cost ofOperations
ScalabilityScalability
Infrastructure andServices IntegrationInfrastructure and
Services Integration
Reliability andHigh AvailabilityReliability and
High Availability
![Page 14: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/14.jpg)
141414© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Layer 4–7 Services Modules Family
IDSM-2 Module
CSM Module
NAM-1 and NAM-2Module
Firewall Module
VPN Module SSL Module
Cisco Traffic AnomalyDetector Module
Cisco AnomalyGuard Module
![Page 15: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/15.jpg)
151515© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Flexible Deployment Options
Integrated system:
• Fits existing switch/routinginfrastructure with other services
• Utilizes available slots—no interfaceports or rack space
• Ideal for data center deploymentsof 1–3 modules
• Intrachassis diversion
Guard ModuleDetector Module
![Page 16: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/16.jpg)
161616© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Flexible Deployment Options (cont.)
Dedicated system:
• New chassis dedicatedto DDoS
• Supports large range offlexible I/O
• Ideal for high-capacitydeployments (4+ modules)with supervisor for loadleveling
• External diversion viaCisco IOS® supervisor routing
Anomaly Guard Modules
![Page 17: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/17.jpg)
171717© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Key Features
DIVERSION ARCHITECTURE
MULTISTAGE VERIFICATION PROCESS
![Page 18: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/18.jpg)
181818© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
DIVERSION ARCHITECTURE
![Page 19: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/19.jpg)
191919© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Dynamic Diversion At Work
ProtectedZone 1: Web Protected
Zone 2: NameServers
Protected Zone 3:E-Commerce Application
Cisco Traffic AnomalyDetector Module (or Cisco IDSor third- party system)
Cisco AnomalyGuard Module
![Page 20: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/20.jpg)
202020© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Dynamic Diversion At Work
ProtectedZone 1: Web Protected
Zone 2: NameServers
Protected Zone 3:E-Commerce Application
Cisco Traffic AnomalyDetector Module
Cisco AnomalyGuard Module
1. Detect
Target
![Page 21: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/21.jpg)
212121© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Dynamic Diversion At Work
ProtectedZone 1: Web Protected
Zone 2: NameServers
Protected Zone 3:E-Commerce Application
Cisco Traffic AnomalyDetector Module
Cisco AnomalyGuard Module
1. Detect
Target
2. Activate: Auto/Manual
![Page 22: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/22.jpg)
222222© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Dynamic Diversion At Work
ProtectedZone 1: Web Protected
Zone 2: NameServers
Protected Zone 3:E-Commerce Application
Cisco Traffic AnomalyDetector Module
Cisco AnomalyGuard Module
1. Detect
Target
2. Activate: Auto/Manual
3. Divert onlytarget’s traffic
Route update:RHI internal, or BGP/other external
![Page 23: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/23.jpg)
232323© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Dynamic Diversion At Work
ProtectedZone 1: Web Protected
Zone 2: NameServers
Protected Zone 3:E-Commerce Application
Cisco Traffic AnomalyDetector Module
Cisco AnomalyGuard Module
1. Detect
Target
2. Activate: Auto/Manual
3. Divert onlytarget’s traffic
4. Identify and filtermalicious traffic
Traffic Destinedto the Target
![Page 24: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/24.jpg)
242424© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Dynamic Diversion At Work
ProtectedZone 1: Web Protected
Zone 2: NameServers
Protected Zone 3:E-Commerce Application
Cisco Traffic AnomalyDetector Module
Cisco AnomalyGuard Module
1. Detect
Target
2. Activate: Auto/Manual
3. Divert onlytarget’s traffic
4. Identify and filtermalicious traffic
Traffic Destinedto the Target
LegitimateTraffic to
Target
5. Forward legitimatetraffic
O 192.168.3.0/24 [110/2] via 10.0.0.3, 2d11h, GigabitEthernet2B 192.168.3.128/32 [20/0] via 10.0.0.2, 00:00:01
192.168.3.128 = zone 10.0.0.2 = Guard
![Page 25: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/25.jpg)
252525© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Dynamic Diversion At Work
ProtectedZone 1: Web Protected
Zone 2: NameServers
Protected Zone 3:E-Commerce Application
Cisco Traffic AnomalyDetector Module
Cisco AnomalyGuard Module
1. Detect
Target
2. Activate: Auto/Manual
3. Divert onlytarget’s traffic
4. Identify and filtermalicious traffic
Traffic Destinedto the Target
LegitimateTraffic to
Target
5. Forward legitimatetraffic
6. Non-targetedtrafficflowsfreely
![Page 26: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/26.jpg)
262626© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Cisco Catalyst Service Module
SwitchFabric
Supervisor Engine 2 or 720
Line Card Module
Line Card Module
Anomaly GuardModule
Traffic AnomalyDetector Module
Cat6K/7600
Firewall ServiceModule
InternalNetwork
• Solution Overview
Alert
Dynamic routediversion
![Page 27: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/27.jpg)
272727© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Cisco Catalyst Service Module (cont.)
• Maintains “on-demand”scrubbing model
Internal to chassis fromSupervisor to GuardUses Route HealthInjection protocol
• Supports dedicated“appliance” mode
Suitable for clusterSupervisor redistributesroute update
• Cisco Catalyst® 6K/7600Router benefits:
IOS routing: extensiveprotocol and tunnelingsupport and familiar CLI
Extensive interfacesincluding fiber OC/STM
Control Plane Policing forDDoS hardening
![Page 28: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/28.jpg)
282828© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Anomaly Guard Module Packet FlowSupervisor 2/SFM or Supervisor 720
RoutingTable
RoutingTable
Master FIB Table
Master FIB Table
Supervisor 2 or Supervisor 720Supervisor 2 or Supervisor 720R(x)000 CPUR(x)000 CPU
Cisco Catalyst® 6000 32 Gbps BUSCisco Catalyst® 6000 32 Gbps BUS
OutputLine Card
Med
usa
Med
usa
AnomalyGuardModule
Si SiSi
SiSi
1 23
InputLine Card 4 5
CrossbarFabric
CrossbarFabric
CrossbarFabric
CrossbarFabric
Si
![Page 29: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/29.jpg)
292929© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
MULTISTAGE VERIFICATIONPROCESS
![Page 30: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/30.jpg)
303030© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Multiverification Process (MVP)Integrated Defenses in the Guard
ActiveVerification
StatisticalAnalysis
Layer 7Analysis
Rate LimitingDynamic and Static Filters
Detect anomalousbehavior and identifyprecise attack flows
and sources
Legitimate + Attack Traffic to Target
![Page 31: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/31.jpg)
313131© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Multiverification Process (MVP)Integrated Defenses in the Guard
ActiveVerification
StatisticalAnalysis
Layer 7Analysis
Rate LimitingDynamic and Static Filters
Apply antispoofingto block malicious
flows
Legitimate + Attack Traffic to Target
![Page 32: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/32.jpg)
323232© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Multiverification Process (MVP)Integrated Defenses in the Guard
ActiveVerification
StatisticalAnalysis
Layer 7Analysis
Rate LimitingDynamic and Static Filters
Legitimate Traffic
Dynamically insertspecific filters to block
attack flows and sourcesApply rate limits
![Page 33: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/33.jpg)
333333© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Intelligent Countermeasures
DETECTION• Passive copy of traffic monitoring
ANALYSIS• Diversion for more granular inline analysis
• Flex filters, static filters, and bypass in operation• All flows forwarded but analyzed for anomalies
BASIC PROTECTION• Basic antispoofing applied
• Analysis for continuing anomalies
STRONG PROTECTION• Strong antispoofing (proxy) if needed• Dynamic filtering of zombie sources
AnomalyVerified
LEARNING• Periodic observation of patterns to automatically update baseline profiles
AttackDetected
AnomalySourcesIdentified
Benefits:• Accuracy• Maximized
performance• Maximum
transparency• Automated
response
![Page 34: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/34.jpg)
343434© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
High Performance and Capacity
• 1 MPPS+ most attacks, good and bad traffic, typicalfeatures
• 150 K DYNAMIC FILTERS for zombie attacks
• CLUSTERING TO 8 GUARDS for single protected host• Capacity
30 CONCURRENTLY PROTECTED ZONES(90 for the Detector) and 500 total1.5 million concurrentconnections1.5 million concurrent connections
• Latency or jitter: < 1 MSEC
![Page 35: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/35.jpg)
353535© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Anomaly Recognition and ActiveVerification Features (cont.)
Anomaly Recognition:• Extensive profiling of individual flows
From individual src-IPs and src-nets to dst-IPs/ports byprotocol
• Depth of profilesPackets, syns and requests, fragments as well as ratiosConnections by status, authenication status and protocolspecific data…
• Default normal baselines with auto-learning on siteBaselines for typical as well as top sources and proxies
![Page 36: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/36.jpg)
363636© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Anomaly Recognition and ActiveVerification Features (cont.)
Active Verification/Antispoofing:• Broad application support
TCP and UDP applications, including HTTP, HTTPS, SMTP, IRC,DNS and commercial and custom applications
• AuthenticatesSYNs, SYNACKs, FINs, regular TCP packets, DNS requests andreplies and more…
![Page 37: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/37.jpg)
373737© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Antispoofing DefensesExample: Basic Level for HTTP Protocol
Source Guard
Syn(c#)
Hash-function(SrcIP,port,t)
ack(c#,s#)SrcIP, port#
=
Redirect(c#,s#)
Synack(c#’,s#’)
Syn(c#’)
request(c#’,s#’)
Target
Verified connections
synack(c#,s#)
• Antispoofingonly whenunder attack
• Authenticatesource oninitial query
• State kept onlyfor legitimatesources
• Subsequentqueriesverified
• Antispoofingonly whenunder attack
• Authenticatesource oninitial query
• State kept onlyfor legitimatesources
• Subsequentqueriesverified
![Page 38: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/38.jpg)
383838© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Broadest Attack Protection
• Random spoofed attacks (e.g., SYN)Removes spoofed flows that evade statistical identification
• Focused spoofed of good source (e.g., AOL proxy)Distinguishes good vs. bad flows with same src-IP forselective blocking
• Nonspoofed distributed attackCapacity for blocking high-volume, massive and morphingbotnets of attackers that:
Penetrate SYN response defenses
Thwart any manual responses
![Page 39: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/39.jpg)
393939© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Broadest Attack Protection (cont.)
• Nonspoofed client attack (e.g., http half-open)Identifies low-volume, protocol anomaly attacks that evadesampled flow data
![Page 40: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/40.jpg)
404040© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Management Features
• Console or SSH CLI• Embedded device manager
GUI• DDoS SNMP MIB and traps• Extensive syslogging• Interactive
recommendations• Extensive reporting: GUI,
CLI, and XML export byzone
• Packet capture and export• TACACS+ for AAA• Future CVDM for Cisco
Cisco Catalyst® 6K support
![Page 41: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/41.jpg)
414141© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
DEPLOYMENT SCENARIOS
![Page 42: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/42.jpg)
424242© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Hosting or Service Provider Data Centerwith Service Modules in “Integrated Mode”
I
S
C ta ys5 0
P r p y S S P w p
tr c s r
RI
C S T S
C S S
Sup720 orSup2 w MSFC
Catalyst®
6K or 7600
GEnet
Catalyst Switch
Guard/DetectorDevice Manager
Anomaly GuardModule
Traffic AnomalyDetector Module
AttackAlert
ISP 1 ISP 2
DNS ServersWeb, Chat, E-mail, etc.
Target Internal Network
RHI RouteUpdate
FirewallServiceModule
![Page 43: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/43.jpg)
434343© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Service ProviderDistributed or Edge Protection
• Distributed, dedicated Guards• Detector CPE for monitoring
and optionally activation
PeeringPoint
PeeringPoint
Core Router
Core Router
POP
POP
Enterprise A
Enterprise C
Cisco AnomalyGuard Module(s)
Enterprise BTargeted
Cisco TrafficAnomaly DetectorModule or Appliance
Optional CPE:
![Page 44: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/44.jpg)
444444© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Managed DDoS ServiceCentralized Protection
PeeringPoint
PeeringPoint
Core Router
Core Router
POP
POPEnterprise A
Enterprise C
Enterprise BTargeted
Cisco Traffic Anomaly Detector Module
Cisco Anomaly Guard Modules
NetFlow-based Backbone Monitoring
NetFlow-based Backbone Monitoring
NOC
Activation fromBackbone or CPEDetector
Catalyst 6500/7600 Series Router
![Page 45: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/45.jpg)
454545© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Clustering Topology
CustomerSwitches
ISPUpstream
ISPUpstream
Load-LevelingRouter
MitigationCluster
B 200.1.1.99 [20/0] via 192.168.1.3, 00:04:08 [20/0] via 192.168.1.4, 00:04:08 [20/0] via 192.168.1.5, 00:04:08 [20/0] via 192.168.1.1, 00:04:08 [20/0] via 192.168.1.2, 00:04:08200.1.1.99 = zone 192.168.1.1-5 = Guards
Cisco Anomaly GuardModules
Cat 6k/7600
![Page 46: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/46.jpg)
464646© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Clustering Topology (cont.)
Equal cost multipath routing• Load levels traffic to a single destination IP• Across up to 8 Guards per router• CEF Layer 3 hash delivers consistent assignment
per src-dst pair• NO SPECIAL LOAD BALANCING SOLUTION
REQUIRED• Additional router provides functional partitioning
![Page 47: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/47.jpg)
474747© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
PROVIDER FEATURESAND BENEFITS
![Page 48: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/48.jpg)
484848© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Solution Supports CriticalManaged Service Requirements
• Significant value-addMitigation, not just detectionBroadest types of attacksAccuracy and transparencyAutomation for fast response
• Proven competitive advantage => customerretention and acquisitionWithin hours of attacks that primary provider could nothandle, enterprises shifted traffic to backup providers withCisco DDoSAnd when subsequently contracting for managed DDoSservices, dropped providers that didn’t offerCommerical enterprises readily shift hosting providers basedon DDoS capabilityDDoS protection also on new vendor selection criteria
![Page 49: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/49.jpg)
494949© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Solution Supports CriticalManaged Service Requirements (cont.)
• Cost-effective operationDefaults and templates for efficient provisioningAutomated learning for policy tuningAutomation for efficient attack responseProvider network deploymentOn-demand scrubbing
![Page 50: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/50.jpg)
505050© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Solution Supports CriticalManaged Service Requirements (cont.)
• Provider deployment architectureSupports distributed and centralized deployment
Dynamic diversion for ease of installation andhigh reliability
High performance plus N+X clustering for redundancy,incremental scaling, and maintenance
SNMP, XML, TACACS+, CLI, syslog for management
Activation from and data export to third-party systems
• Shared resources and virtualization supportedOn-demand scrubbing
Zone concept
![Page 51: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/51.jpg)
515151© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Managed Services Momentum
DDoS Defense Option forInternet Protect managed services
Almost all available DDoS managed services are basedon the Cisco Guard for mitigation:
and many others
IP Defender managed service
PrevenTier DDoS Mitigation service
SureArmour DDoS protection service
![Page 52: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/52.jpg)
525252© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Positive Industry Response
“We are taking a very positive stance on AT&T’sDDoS Defense option for its Internet Protectservice….”Current Analysis, June 2004
“This announcement is most important to Sprintcustomers. The service is attractive to customersthat want to increase network uptime and avoidDoS attacks.”
Gartner, October 2004
![Page 53: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/53.jpg)
535353© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions
Provider Service Advantages
Protects last-mile bandwidth andall enterprise infrastructure
Provider can protect against largestattacks
Provision and pay only forbandwidth for legitimate traffic
Upstream protection can covermultiple data centers
DDoS protection can be efficientlyoffered as managed service
Leverage focused securityoperations team
Last-mile bandwidth and edge routernot protected
Can only defend against attacks thatdon’t exceed last-mile bandwidth
Must overprovision for largest potentialattacks and/or pay burst charges
Must replicate protection at all datacenters
CPE infrastructure only protects locallyand cannot be shared
Difficult to maintain staff skill on DDoSattacks
Managed Service at Provider Enterprise Deployment at Data Center
![Page 54: Cisco DDoS Mitigation Service Provider Solutions...Cisco DDoS Mitigation Service Provider Solutions DDoS Protection Cisco Service Modules (cont.) •Guard/Detector MVP-OS Release 4.0](https://reader030.vdocument.in/reader030/viewer/2022040807/5e4acfcd47fc6b5e471ad5f2/html5/thumbnails/54.jpg)
545454© 2005 Cisco Systems, Inc. All rights reserved.Cisco DDoS MitigationService Provider Solutions